Transitive authentication authorization accounting in the interworking between access networks

ABSTRACT

A method and a system for allowing a user device that has already been authenticated by a first communications network to gain access to a second communications network without undergoing authentication by the second communications network. The first communications network and the second communications network have a pre-established trust relationship there between. A packet is received from the user device that includes a user device public key, by the second network via the first network. A session key is sent from the second network to the user device, via the first network, when a source Internet Protocol (IP) address associated with the packet falls into a range allocated to the first network. The session key is encrypted with the user device public key. The user device decrypts the session key using a private key and uses the session key thereafter to access the second network. Further a mapping is generated to correlate the identity of the user device with the session key such that usage data relate to user device is generated by the second communications network and transmitted to the first communications network, which generates accounting information indicative of user device access of the second communications network.

This application claims the benefit, under 35 U.S.C. § 365 ofInternational Application PCT/US03/07623, filed Mar. 12, 2003, which waspublished in accordance with PCT Article 21(2) on Nov. 6, 2003 inEnglish and which claims the benefit of U.S. Provisional PatentApplication No. 60/376,160, filed Apr. 26, 2002.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention generally relates to networking and, moreparticularly, to method for transitive Authentication Authorization andAccounting (AAA) in the interworking between access networks.

2. Background of the Invention

Typically, Authentication, Authorization and Accounting (AAA) arerequired to access and utilize networks such as cellular networks andWireless Local Area Networks (WLANs). In an environment in which amobile terminal has multiple network access mechanisms, providing AAAinterworking among these networks is of great importance. However, it isgenerally the case that one or more of the involved networks have aclosed AAA scheme and it is difficult for one of the networks to use theAAA structure of another one of the networks and vice versa. Forexample, cellular networks have an AAA infrastructure that is notcompatible with Internet based AAA and cannot be easily accessed throughInternet protocols, even though the involved networks (including thecellular networks) have external IP connectivity.

Convention approaches for providing AAA interworking all require aspecial interworking function between the networks, even for AAAinterworking between networks that have pre-established trustrelationships amongst themselves. Using this interworking function,e.g., network B will then access network A's AAA infrastructure toauthenticate a user which has already been authenticated by network A(through a closed network AAA mechanism). The conventional approaches donot take advantage of the fact that the user has already beenauthenticated by network A which has pre-established trust relationshipwith network B.

Accordingly, it would be desirable and highly advantageous to have amethod for transferring the trust that is attributed to a user by onenetwork from that network to another network, particularly withoutrequiring any special interworking function to accomplish the same.

SUMMARY OF THE INVENTION

The problems stated above, as well as other related problems of theprior art, are solved by the present invention, a method for transitiveAuthentication Authorization and Accounting (AAA) in the interworkingbetween access networks.

According to an aspect of the present invention, there is provided amethod for allowing a user device that has already been authenticated bya first network to gain access to a second network. The first networkand the second network have a pre-established trust relationship therebetween. A packet is received from the user device that includes a userdevice public key, by the second network. A session key is sent from thesecond network to the user device when a source Internet Protocol (IP)address associated with the packet falls into a range allocated to thefirst network. The session key is encrypted with the user device publickey. The session key is for permitting the user device to access thesecond network.

These and other aspects, features and advantages of the presentinvention will become apparent from the following detailed descriptionof preferred embodiments, which is to be read in connection with theaccompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating a computer system 100 to whichthe present invention may be applied, according to an illustrativeembodiment of the present invention;

FIG. 2 is a block diagram illustrating a transitive AAA structure towhich the present invention may be applied, according to an illustrativeembodiment of the present invention;

FIG. 3 is a flow diagram illustrating an AAA method for allowing a userdevice that has been authenticated by a 3G cellular network to gainaccess to a Wireless Local Area Network WLAN, according to anillustrative embodiment of the present invention; and

FIG. 4 is a flow diagram illustrating an accounting method forperforming an accounting for the user of the user device of the methodof FIG. 3, according to an illustrative embodiment of the presentinvention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention is directed to a transitive AuthenticationAuthorization and Accounting (AAA) scheme for an interworking betweenaccess networks. It is to be appreciated that the present invention isapplicable to any combination of access networks. However, the presentinvention is particularly applicable to cellular network and WirelessLocal Area Network (WLAN) interworking.

The present invention transfers the trust on a user by a first accessnetwork to a second access network where the first and the second accessnetworks have a pre-established trust relationship. In contrast to theprior art, the present invention does not require any specialinterworking function between the two networks, but rather relies on IPaddressing and routing schemes to verify user access right. It is to beappreciated that the present invention is also referred to herein astransitive AAA.

It is to be understood that the present invention may be implemented invarious forms of hardware, software, firmware, special purposeprocessors, or a combination thereof. Preferably, the present inventionis implemented as a combination of hardware and software. Moreover, thesoftware is preferably implemented as an application program tangiblyembodied on a program storage device. The application program may beuploaded to, and executed by, a machine comprising any suitablearchitecture. Preferably, the machine is implemented on a computerplatform having hardware such as one or more central processing units(CPU), a random access memory (RAM), and input/output (I/O)interface(s). The computer platform also includes an operating systemand microinstruction code. The various processes and functions describedherein may either be part of the microinstruction code or part of theapplication program (or a combination thereof) which is executed via theoperating system. In addition, various other peripheral devices may beconnected to the computer platform such as an additional data storagedevice and a printing device.

It is to be further understood that, because some of the constituentsystem components and method steps depicted in the accompanying Figuresare preferably implemented in software, the actual connections betweenthe system components (or the process steps) may differ depending uponthe manner in which the present invention is programmed. Given theteachings herein, one of ordinary skill in the related art will be ableto contemplate these and similar implementations or configurations ofthe present invention.

FIG. 1 is a block diagram illustrating a computer system 100 to whichthe present invention may be applied, according to an illustrativeembodiment of the present invention. The computer processing system 100includes at least one processor (CPU) 102 operatively coupled to othercomponents via a system bus 104. A read only memory (ROM) 106, a randomaccess memory (RAM) 108, a display adapter 110, an I/O adapter 112, auser interface adapter 114, a sound adapter 199, and a network adapter198, are operatively coupled to the system bus 104.

A display device 116 is operatively coupled to system bus 104 by displayadapter 110. A disk storage device (e.g., a magnetic or optical diskstorage device) 118 is operatively coupled to system bus 104 by I/Oadapter 112.

A mouse 120 and keyboard/keypad 122 are operatively coupled to systembus 104 by user interface adapter 114. The mouse 120 and keyboard/keypad122 are used to input and output information to and from system 100.

At least one speaker (herein after “speaker”) 185 is operatively coupledto system bus 104 by sound adapter 170.

A (digital and/or analog) modem 196 is operatively coupled to system bus104 by network adapter 198.

FIG. 2 is a block diagram illustrating a transitive AAA structure towhich the present invention may be applied, according to an illustrativeembodiment of the present invention. In the illustrative embodiment ofFIG. 2, the transitive AAA structure includes: a first network 210; asecond network 220; the Internet 230, and a user device 240. The secondnetwork 220 includes an AAA server 230 a. The user device 240 includes afirst network interface 240 a and a second network interface 240 b. Itis to be appreciated that while the present invention is describedherein with respect to two networks, the present invention may beapplied with any number and any types of networks, while maintaining thespirit and scope of the present invention.

For the purpose of illustrating the present invention, the followingdescription thereof is made with respect to two networks, a 3G cellularnetwork and a Wireless Local Area Network (WLAN). However, it is to beappreciated that the present invention may be applied to any number ofnetworks in combination as well as any type of network, whilemaintaining the spirit and scope of the present invention.

In the illustrative example, user device 240 has dual radio interfacesfor accessing the 3G network and the WLAN. According to the presentinvention, user device 240 is able to access WLAN 220 via the AAAmechanism of the 3G network 210 as follows. Upon detection of WLAN 220,user device 240 determines whether WLAN 220 supports transitive AAA. Ifso, user device 240 sends a registration message to the 3G network viapath 214. The registration message includes a user public key. Theregistration message is transmitted to WLAN server 230 a via theInternet as indicated by paths 216 and 222. Upon receiving theregistration message, WLAN server 230 a checks the source IP address todetermine whether the received address is within a range of address forwhich transitive AAA is supported. If so, WLAN server 230 provides asession key that is encrypted with the user device public key andtransmits the session key to 3G network 210 via the Internet asindicated by paths 224 and 218. The 3G network than transmits thesession key to user device 240 as indicated by path 212. User device 240then decrypts the session key using a user device private key and isable to gain access to WLAN 220 using the session key.

In this manner, user device 240 is able to gain access to WLAN 220 viathe AAA mechanism of 3G network 210, as long as WLAN 220 supportstransitive AAA and has a pre-existing trust relationship with 3G network210. The present invention provides a mechanism for allowing a userdevice 240 to “roam” between WLANs that have a pre-existing relationshipwith the 3G network by directly using the AAA mechanism of the 3Gnetwork rather than having the WLAN contact the 3G AAA services forauthentication or using the AAA mechanism associated with each WLAN.

The 3G cellular network is allocated a range of IP addresses; when theuser uses the 3G cellular network for IP access, the source IP addresswill fall into this range. Given the routing scheme of the Internet,while any snooper can fake such a source IP address, when a return IPpacket is sent, it can only be received by the user that actually hasthe IP address, unless the snooper can break into the routers thatforward the IP packets. Thus, the present invention may provide anadditional measure of security.

FIG. 3 is a flow diagram illustrating an AAA method for allowing a userdevice that has been authenticated by a 3G cellular network to gainaccess to a Wireless Local Area Network WLAN, according to anillustrative embodiment of the present invention. The user device hastwo radio access interfaces (3G cellular and WLAN). The 3G cellularnetwork and the WLAN have a pre-established trust relationship therebetween.

Upon the user device moving into an area under the coverage of the WLAN,it is determined (e.g., by the WLAN interface of the user device)whether the WLAN supports transitive MA and whether the 3G cellularnetwork has a pre-established trust relationship with the WLAN (e.g.through broadcasting or Dynamic Host Configuration Protocol (DHCP))(step 302). If not, then the method is terminated. Otherwise, step 304is performed as described herein below and then the method proceeds tostep 305. At step 305, the IP address of an AAA server of the WLAN(hereinafter WLAN AAA server) is obtained by the user device (step 305).

A User Datagram Protocol (UDP) packet that includes a registrationmessage is sent from the user device to the WLAN AAA server, e.g.,through the 3G cellular interface of the user device (step 310). It isto be appreciated that while step 310 is described with respect to a UDPpacket, any type of packet may be employed including, but not limitedto, a Transmission Control Protocol (TCP) packet. The registrationmessage includes the WLAN address (e.g. Medium Access Control (MAC)address or IP address of the WLAN interface) of the user device, and thepublic key of the user device.

Upon receiving the registration message, the WLAN AAA server determineswhether the source IP address of the registration message (e.g., an IPaddress of the 3G interface) falls into a range allocated to the 3Gcellular network with which the WLAN network has a pre-establishedrelationship (step 315). If not, then the method is terminated.Otherwise, the WLAN AAA server sends back a confirmation message to the3G cellular interface of the user device (step 320). The confirmationmessage includes a session key that is to be used between the userdevice and the WLAN (session key permits the user device to access theWLAN); the session key is encrypted with the public key of the userdevice. The WLAN AAA server also registers a mapping between the WLANaddress of the user device and the (assigned) session key (step 325).Step 325 is performed so that a given session key is associated with acorresponding user.

Upon receiving the confirmation message (e.g., via the 3G cellularinterface of the user device), the session key is decrypted using aprivate key of the user device (step 328). Using the session key, accessto the WLAN is obtained by the user device (step 330).

A description will now be given of a possible collaborative hackerattack on the method of FIG. 3. It is to be appreciated that thefollowing attack is possible due to the use of IP addressing and IProuting without additional authentication support from the 3G cellularnetwork. A hacker sends a registration message with a fake IP addressthat falls into the range of the 3G cellular network. The hacker thenintercepts the confirmation message somewhere along the route betweenthe WLAN and the 3G cellular core network. The hacker notifies anotherhacker within the WLAN coverage about the discovered key.

However, it is very difficult to accomplish the above attack, especiallythe step of intercepting the confirmation message. The hacker has togain access to a router along the route between the WLAN and the 3Gnetwork, just for the purpose of obtaining a session key, and the twohackers have to collaborate to carry out the attack (assuming that ahacker within the coverage of the WLAN cannot get access to any of therouters discussed above because if the hacker could obtain access, thenthere would have been no point of carrying out the attack since thehacker would already have had Internet access).

To prevent the preceding collaborative hacker attack, step 304 isperformed in the method of FIG. 3. At step 304, a secure IP channel(e.g. an Internet Protocol (IP) Security (IPSec) tunnel) is establishedbetween the WLAN AAA server and a Gateway General Packet Radio Service(GPRS) Serving/Support Node (GGSN) of the 3G cellular network. Since thepath is also secure between the user and the GGSN of the 3G cellularnetwork (as ensured by the 3G network security), the above attack can bethwarted.

A description will now be given of an accounting method that may beemployed along with the method of FIG. 3, according to an illustrativeembodiment of the present invention. FIG. 4 is a flow diagramillustrating an accounting method for performing an accounting for theuser of the user device of the method of FIG. 3, according to anillustrative embodiment of the present invention.

It is determined whether the IP address of the 3G cellular interface ofthe user device is a static IP address (step 405). If so, the identityof the user is determined based upon the IP address of the 3G cellularinterface, (step 410), and the method proceeds to step 450. Otherwise(the IP address is dynamic), the identity of the user is determined froma mapping between the (temporary) IP address of the 3G cellularinterface and the actual ID of the user (step 415), and the methodproceeds to step 450. At step 450, an accounting step is performed withrespect to the user based on the IP address of the 3G cellular interface(static IP address) or the mapping (dynamic IP address).

It is to be appreciated that for the purposes of the present invention,Network Address Translation (NAT) is treated the same as if the IPaddress of the 3G cellular interface were dynamic. Moreover, withrespect to the mapping referred to at step 415 above, such mapping maybe stored, e.g., at a DHCP server or a NAT server if NAT is used. It isto be further appreciated that the present invention is not limited tothe use of mappings to determine user identity in the case of non-staticIP address and, thus, other approaches may be employed, whilemaintaining the spirit and scope of the present invention.

Although the illustrative embodiments have been described herein withreference to the accompanying drawings, it is to be understood that thepresent invention is not limited to those precise embodiments, and thatvarious other changes and modifications may be affected therein by oneskilled in the art without departing from the scope or spirit of theinvention. All such changes and modifications are intended to beincluded within the scope of the invention as defined by the appendedclaims.

1. A method for allowing a user device having dual radio interfaces toaccess a wireless local area network, comprising the steps of:receiving, by a wireless local area network, from a cellular radiointerface of the user device, via an internet network, a registrationmessage that includes a user device public key, the user device havingbeen authenticated by a cellular network, the wireless local areanetwork having a pre-established trust relationship with the cellularnetwork; determining whether a source internet protocol address receivedfrom the cellular network is within a predetermined range of sourceinternet protocol addresses, and if so, generating a session key inresponse to the user device public key, the session key adapted to bedecrypted using a user device private key, transmitting the session keyto the cellular network from the wireless local area network via theinternet network, and allowing a wireless local area network radiointerface of the user device to access the wireless local area networkusing the session key.
 2. The method according to claim 1, furthercomprising the step of establishing a secure internet protocol channelbetween the wireless local area network and the cellular network.
 3. Themethod according to claim 1, further comprising the steps of receivingan address of an interface associated with the user device, andregistering a mapping between the interface address and the session key.4. The method according to claim 3, wherein the inter-face addresscomprises one of a Medium Access Control (MAC) address and an InternetProtocol (IP) address.
 5. The method according to claim 3, furthercomprising the steps of generating usage data in response to theaccessing of the wireless local area network by the user device, andtransmitting the usage data to the cellular network, wherein accountinginformation for the user device is generated in response to the usagedata.
 6. A method for accessing a wireless local area network using auser device having a wireless local area radio interface and a cellularradio interface, comprising the steps of: establishing communicationswith a cellular network and performing an authentication step with thecellular network using the cellular radio interface; transmitting aregistration message that includes a user device public key to thecellular network; receiving by the user device from the cellular networka session key received from the wireless local area network in responseto the registration message; decrypting the session key with a privatekey; and establishing access to the wireless local area network usingthe wireless local area network radio interface and the session key. 7.The method according to claim 6, wherein the registration messageincludes an address associated with an interface for communicating withthe wireless local area network, wherein a mapping is generated betweenthe address and the session key.
 8. The method according to claim 7,wherein the interface address comprises one of a Medium Access Control(MAC) address and an Internet Protocol (IP) address.
 9. The methodaccording to claim 8, further comprising the step of receivingaccounting information regarding the user device access to the wirelesslocal area network via one of the wireless local area network and thecellular network.
 10. The method according to claim 6, furthercomprising the step of initially determining whether the cellularnetwork has a pre-established trust relationship with the wireless localarea network.
 11. A method for allowing a user device having a cellularradio interface and a wireless local area network radio interface incommunication with a cellular network to access a wireless local areanetwork, the cellular network and the wireless local area network havinga pre-established trust relationship therebetween, the method comprisingthe steps of: authenticating the user device within the cellularnetwork; receiving from the user device, via the cellular radiointerface, a registration message that includes a user device publickey; transmitting, via an internet network, a message that includes theuser device public key and a source address that falls within apredetermined range allocated to the cellular network to the wirelesslocal area network; receiving, via the internet network, a session keyfrom the wireless local area network; and transmitting the session keyto the user device, wherein the session key allows the user device toaccess the wireless local area network using the wireless local areanetwork radio interface.
 12. The method according to claim 11, furthercomprising the step of establishing a secure internet protocol channelbetween the cellular network and the wireless local area network toprevent unauthorized interception of the session key.
 13. The methodaccording to claim 11, further comprising the step of receiving anaddress of an interface associated with the user device, and registeringa mapping between the interface address and the session key.
 14. Themethod according to claim 13, wherein the address of the interfacecomprises one of a Medium Access Control (MAC) address and an InternetProtocol (IP) address.
 15. The method according to claim 13, furthercomprising the step of receiving usage data from the wireless local areanetwork indicative of user device access of the wireless local areanetwork and generating accounting information associated with the userdevice based on the usage data.
 16. The method according to claim 11,wherein the session key is encrypted using the user device public key,and is adapted to be decrypted using a user device private key.
 17. Amethod for accessing a wireless local area network using a user devicehaving a cellular radio interface and a wireless local area networkradio interface, said method comprising: establishing, by said userdevice, communications with a first communications network using thecellular radio interface, said first communications networkauthenticating said user device; transmitting a registration message bysaid user device, to said wireless local area network using a userpublic key via said first communications network; receiving, by saiduser device, from said wireless local area network via the firstcommunications network, a session key generated in response to saidregistration message; decrypting, by said user device, said session keyusing a user private key; and establishing secure communications usingthe wireless local area network radio interface of the user device, withsaid wireless local area network using said session key.
 18. The methodaccording to claim 17, wherein said first communications network is acellular network.